Reputation: 496
How to resolve SAS URL for Storage Account in RM Template
I am trying to create RM template that creates a web site and configures this for logging into the blob storage.
I saw this post in StackOverflow, which shows how to configure this.
The json looks somewhat following:
{
"id": "/subscriptions/.../config/logs",
"name": "logs",
"type": "Microsoft.Web/sites/config",
"location": "North Central US",
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "Off"
},
"azureBlobStorage": {
"level": "Information",
"sasUrl": "...",
"retentionInDays": 14
}
},
...
}However, I couldn't figure out how the sasUrl should be calculated/resolved into this file?
Upvotes: 3
Views: 1549
Answers (2)
Reputation: 8737
Moim, I don't think you can create a sasToken within the template. As MichaelB mentioned you can create it before you do the deployment and either pass it in as a parameter or simply hardcode it in the template (not ideal since this is a secret). A couple things to add to Michael's code: 1) you need the full URL and a container and 2) you'll want to set an expiry time on the token so it doesn't expire and prevent logging to it. For example:
$SasToken = New-AzureStorageContainerSASToken -Container 'logs'
-Context $context -Permission rwdl -ExpiryTime (Get-Date).AddYears(1) -FullUri
The other way you can do this is to create a sasToken, store it in Azure KeyVault, and reference that KeyVault secret in the template. This blog has a few posts that walk through setting that up: http://www.codeisahighway.com/how-to-refer-an-azure-key-vault-secret-in-an-azure-resource-manager-deployment-template/
Upvotes: 1
Reputation: 12228
To create an SASurl for a container you would use the New-AzureStorageContainerSASToken
A script like this should work
$context = New-AzureStorageContext -StorageAccountName $name `
-StorageAccountKey ((Get-AzureRmStorageAccountKey `
-ResourceGroupName $rg -Name $name).Key1)
New-AzureStorageContainerSASToken -Name sql
-Permission rwdl -Context $context
You might need to add -FullUri to the end of the last one.
Upvotes: 2
Related Questions
- How do I delete an Azure storage account containing a leased blob?
- How to deploy a Azure Function App with Blob Trigger along with Code using ARM Template?
- ARM - How can I get the access key from a storage account to use in AppSettings later in the template?
- Should Azure WebJobs logs be visible in Log Stream & Blob Storage after turning on the options in App Service Logs?
- Configure logging to blob storage via the Azure CLI
- signedVersion in SAS token is not correctly generated from ARM template
- Azure Cloud Service (Classic) - Any way to log Diagnostic.Trace logs to BLOB storage
- Central error logging service for web applications
- $logs Container not created when enabling logging on Azure blob account